Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

SIP
is an application-level signaling protocol for setting up, modifying, and
terminating real-time sessions between participants over an IP data network.
These sessions could include Internet telephone calls, multimedia distribution,
and multimedia conferences. SIP DoS attacks are a major threat to networks.

The following are types of SIP DoS attacks:

SIP register flooding: A
registration flood occurs when many VoIP devices try to simultaneously register to a network. If the volume of registration messages exceeds the device
capability, some messages are lost. These devices then attempt to register
again, adding more congestion. Because of the network congestion, users may be unable to access
the network for some time.

SIP INVITE flooding: An
INVITE flood occurs when many INVITE messages are sent to servers that cannot support all these messages. If the attack rate is very high, the memory
of the server is exhausted.

SIP broken authentication
and session attack: This attack occurs when an attacker presumes the identity
of a valid user, using digest authentication. When the authentication server
tries to verify the identity of the attacker, the verification is ignored and
the attacker starts a new request with another session identity. These attacks
consume the memory of the server.

SIP ALG Dynamic
Blacklist

One of the common methods of denial of service (DoS) attacks involves saturating
the target network with external communication requests making the network unable
to respond to legitimate traffic. To solve this issue, the SIP ALG Resilience
to DoS Attacks feature uses configurable blacklists. A blacklist is a list of
entities that are denied a particular privilege, service, or access. Dynamic
blacklists are disabled by default. When requests to a destination address
exceed a predefined trigger criteria in the configured blacklist, the Session
Initiation Protocol (SIP) application layer gateway (ALG) will drop these
packets.

The following abnormal SIP session patterns are monitored by dynamic
blacklists:

In the configured period of
time if a source sends multiple requests to a destination and receives non-2xx (as per RFC 3261, any response with a status code between 200 and 299 is a "2xx
response")
final responses from the destination.

In the configured period of
time if a source sends multiple requests to a destination and does not receive
any response from the destination.

SIP ALG Lock
Limit

Both Network Address Translation (NAT) and the firewall use the Session
Initiation Protocol (SIP) application layer gateway (ALG) to parse SIP messages
and create sessions through tokens. To maintain session states, the SIP ALG
uses a per call data structure and Layer 7 data to store call-related
information that is allocated when a session is initiated and freed when a
session is released. If the SIP ALG does not receive a message that indicates
that the call has ended, network resources are held for the call.

Because Layer 7 data is shared between threads, a lock is required to
access the data. During denial of service (DoS) and distributed DoS attacks,
many threads wait to get the same lock, resulting in heavy CPU usage, which makes the system unstable. To prevent the system from becoming unstable, a
limit is added to restrict the number of threads that can wait for a lock.
SIP sessions are established by request/response mode. When there are
too many concurrent SIP messages for one SIP call, packets that exceed the lock
limit are dropped.

SIP ALG
Timers

To exhaust resources on Session Initiation Protocol (SIP) servers, some denial of service (DoS) attacks do not indicate the end of SIP calls. To
prevent these types of DoS attacks, a protection timer is added.

The SIP ALG Resilience to DoS Attacks feature uses the following timers:

Call-duration timer that
controls the maximum length of an answered SIP call.

Call-proceeding timer that
controls the maximum length of an unanswered SIP call.

When the configured maximum time is reached, the SIP application layer gateway (ALG) releases resources for this call, and future messages related to this call may not be properly parsed by the SIP ALG.

How to Configure
SIP ALG Resilience to DoS Attacks

Configuring SIP
ALG Resilience to DoS Attacks

You can configure the prevention
of denial of service (DoS) parameters for the Session Initiation Protocol (SIP)
application layer gateway (ALG) that is used by Network Address Translation
(NAT) and the zone-based policy firewall.

MIBs

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources,
including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.

To receive security and technical information about your
products, you can subscribe to various services, such as the
Product Alert Tool (accessed from Field Notices), the Cisco
Technical Services Newsletter, and Really Simple Syndication
(RSS) Feeds.

Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.

Feature
Information for SIP ALG Resilience to DoS Attacks

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/​go/​cfn. An account on Cisco.com is not required.